loophole
play

Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila - PowerPoint PPT Presentation

Nov 07, 2023 •482 likes •996 views

Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila November 22, 2016 Pepe Vila Loophole November 22, 2016 1 / 22 Introduction Event-driven programming Event loops A timing side-channel on event loops Pepe Vila Loophole

  1. Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila November 22, 2016 Pepe Vila Loophole November 22, 2016 1 / 22

  2. Introduction Event-driven programming Event loops A timing side-channel on event loops Pepe Vila Loophole November 22, 2016 2 / 22

  3. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22

  4. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22

  5. Introduction: Event-driven programming EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages Examples: Nginx, Node.js or memcached Used for message passing: inter-(thread | process) communication HTML5 standard 1 mandates user agents to use EDP: 1 https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22

  6. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop Pepe Vila Loophole November 22, 2016 4 / 22

  7. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } Pepe Vila Loophole November 22, 2016 4 / 22

  8. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Pepe Vila Loophole November 22, 2016 4 / 22

  9. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Pepe Vila Loophole November 22, 2016 4 / 22

  10. Introduction: Event loops Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher: Q = []; while (true) { M = Q.shift (); // dequeue process(M); } If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Simple concurrency model for programmers Pepe Vila Loophole November 22, 2016 4 / 22

  11. Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: Pepe Vila Loophole November 22, 2016 5 / 22

  12. Introduction: A timing side-channel on event loops Event loops are susceptible to timing side-channel attacks: when shared between mutually distrusting programs Pepe Vila Loophole November 22, 2016 5 / 22

  13. Our work (in poetry) “Loophole” Exploit a timing side-channel in the Chrome web browser to break user privacy using machine learning techniques - Abraham Lincoln Pepe Vila Loophole November 22, 2016 6 / 22

  14. Chrome’s architecture Same Origin Policy (SOP) Multi-process Shared event loops Pepe Vila Loophole November 22, 2016 7 / 22

  15. Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Pepe Vila Loophole November 22, 2016 8 / 22

  16. Chrome’s architecture: Same Origin Policy (SOP) Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Origin 1 Origin 2 http://example.com:8080 http://example.com http://mail.example.com http://app.example.com https://foo.example.com https://foo.example.com https://example.com http://example.com Pepe Vila Loophole November 22, 2016 8 / 22

  17. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22

  18. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22

  19. Chrome’s architecture: Multi-process Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 DEMO: Chrome’s task manager 2 Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22

  20. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance ) A Site is a registered domain plus a scheme Pepe Vila Loophole November 22, 2016 10 / 22

  21. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance ) A Site is a registered domain plus a scheme (different than SOP) Pepe Vila Loophole November 22, 2016 10 / 22

  22. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance ) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer ◮ When using iframes, linked nagivation or | processes | > T ◮ T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Pepe Vila Loophole November 22, 2016 10 / 22

  23. Chrome’s architecture: Shared event loops Different policies for mapping applications into renderer processes (default: process-per-site-instance ) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer ◮ When using iframes, linked nagivation or | processes | > T ◮ T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Sharing the host process ◮ One for all renderers ◮ IPC through I/O thread Pepe Vila Loophole November 22, 2016 10 / 22

  24. Spying on shared event loops Main thread of a renderer I/O thread of the host process Pepe Vila Loophole November 22, 2016 11 / 22

  25. Spying on shared event loops Main thread of renderer processes Pepe Vila Loophole November 22, 2016 12 / 22

  26. Spying on shared event loops Main thread of renderer processes ◮ runs resource parsing, style calculation, layout, painting and Javascript ◮ each task blocks the event loop for a while ◮ when 2 pages share the process, the main thread’s event loop is shared ◮ A can eavesdrop information from V ’s tasks Pepe Vila Loophole November 22, 2016 12 / 22

  27. Spying on shared event loops Main thread of renderer processes ◮ runs resource parsing, style calculation, layout, painting and Javascript ◮ each task blocks the event loop for a while ◮ when 2 pages share the process, the main thread’s event loop is shared ◮ A can eavesdrop information from V ’s tasks I/O thread of the host process ◮ manages IPC with all children renderers ◮ demultiplexes all UI events to each corresponding renderer ◮ multiplexes all network requests from renderers ◮ each task/message/event also blocks the event loop Pepe Vila Loophole November 22, 2016 12 / 22

  28. Spying on shared event loops Main thread of renderer processes ◮ runs resource parsing, style calculation, layout, painting and Javascript ◮ each task blocks the event loop for a while ◮ when 2 pages share the process, the main thread’s event loop is shared ◮ A can eavesdrop information from V ’s tasks I/O thread of the host process ◮ manages IPC with all children renderers ◮ demultiplexes all UI events to each corresponding renderer ◮ multiplexes all network requests from renderers ◮ each task/message/event also blocks the event loop Some tasks are very fast ( << 0 . 1 ms). We need high timing resolution. Pepe Vila Loophole November 22, 2016 12 / 22

  29. Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save( performance .now ()); // high -resolution timestamp self. postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self. postMessage (0,’*’); // post first async task Pepe Vila Loophole November 22, 2016 13 / 22

  30. Spying on shared event loops: renderer’s main thread Monitor the event loop from an arbitrary HTML page running Javascript: function loop () { save( performance .now ()); // high -resolution timestamp self. postMessage (0,’*’); // recursive invocation } self.onmessage = loop; // set event handler self. postMessage (0,’*’); // post first async task 1 Generates a trace of timing measurements 2 Resolution ≈ 25 µ s Pepe Vila Loophole November 22, 2016 13 / 22

  31. Spying on shared event loops: host’s I/O thread Monitor the loop from any HTML page running Javascript: function loop () { save( performance .now ()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop (); Pepe Vila Loophole November 22, 2016 14 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine

THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine

THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine Canadas Climate Goals environmental defence Dale Marshall Jennifer Skene Graham Saul Photo Credit: River Jordan for NRDC The Boreal Forest CARBON:

508 views • 23 slides
A Strong Loophole-Free Test of Local Realism o A o B s B source s A Bob Alice ? LR theories

A Strong Loophole-Free Test of Local Realism o A o B s B source s A Bob Alice ? LR theories

A Strong Loophole-Free Test of Local Realism o A o B s B source s A Bob Alice ? LR theories Bell inequality arXiv:1511.03189 [quant-ph] Lynden K. Shalm, Evan Meyer-Scott, Bradley G. Christensen, Peter Bierhorst, Michael A. Wayne, Martin J.

1.01k views • 82 slides
Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA Software Institute About me Im Pepe @cgvwzq http://vwzq.net/ Some notes about Chrome Chrome was a blackbox for me. Its code base is immense.

622 views • 38 slides
Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Kpf vwzq.net

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Kpf vwzq.net

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Kpf vwzq.net @cgvwzq github.com/cgvwzq DISCLAIMER: CRYPTACUS DISCLAIMER: CRYPTACUS DISCLAIMER: CRYPTACUS (its funny because its very ubiquitous)

1.05k views • 62 slides
Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Kpf vwzq.net

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Kpf vwzq.net

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila and Boris Kpf vwzq.net @cgvwzq github.com/cgvwzq EVENT DRIVEN PROGRAMMING SO HOT RIGHT NOW EVENT DRIVEN PROGRAMMING SO HOT RIGHT NOW Source:

1.2k views • 63 slides
Failure at every level: Shifts burden to residential Bad for business and the economy

Failure at every level: Shifts burden to residential Bad for business and the economy

Failure at every level: Shifts burden to residential Bad for business and the economy Loophole-ridden law Fiscal policy and land use failure Simple and effective remedies: Smart Roll The opposite of good economics:

412 views • 7 slides
The July 18 Tax Proposals Tax Grab, Tax Reform or Just Plain Confusion? Tax Rules and Fake News:

The July 18 Tax Proposals Tax Grab, Tax Reform or Just Plain Confusion? Tax Rules and Fake News:

The July 18 Tax Proposals Tax Grab, Tax Reform or Just Plain Confusion? Tax Rules and Fake News: Calling a Tax Shake-Up and a Taxpayer Shakedown a Loophole Closure The Tax Accountants and Litigators Annuity Act INTRODUCTION 3 4 4

1.05k views • 83 slides
Explaining quantum correlations Robin Harper University of Sydney through evolution of causal

Explaining quantum correlations Robin Harper University of Sydney through evolution of causal

Explaining quantum correlations Robin Harper University of Sydney through evolution of causal models spukhafte Fernwirkung! spukhafte Fernwirkung! (Spooky action at a distance) Loophole-free Bell inequality violation using electron spins

946 views • 19 slides
Advert / Phones and their impact on our streets Bristol Walking Alliance Roger Gimson Advert /

Advert / Phones and their impact on our streets Bristol Walking Alliance Roger Gimson Advert /

Advert / Phones and their impact on our streets Bristol Walking Alliance Roger Gimson Advert / Phones planning A loophole in the planning law allows telecoms providers to put telephone kiosks on the highway under prior approval

348 views • 18 slides
The Shadow Cost of Bank Capital Requirements Roni Kisin Washington University in St. Louis Asaf

The Shadow Cost of Bank Capital Requirements Roni Kisin Washington University in St. Louis Asaf

Intro Loophole Empirical Approach Results Discussion Robustness Conclusion The Shadow Cost of Bank Capital Requirements Roni Kisin Washington University in St. Louis Asaf Manela Washington University in St. Louis April 2015 Intro

705 views • 31 slides
Energy-Efficiency in GPUs By: Ehsan Sharifi Esfahani Outlines Upward trend of using accelerator

Energy-Efficiency in GPUs By: Ehsan Sharifi Esfahani Outlines Upward trend of using accelerator

A Survey on Energy-Efficiency in GPUs By: Ehsan Sharifi Esfahani Outlines Upward trend of using accelerator in supercomputers An Argument about TOP500 website Motivations Challenges Source of energy consumption in GPUs

553 views • 21 slides
On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis Anne Canteaut Inria, France Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ joint work with Jolle Rou ESC 2015, Clervaux,

540 views • 30 slides
In egalit es spectrales pour le contr ole des EDP lin eaires : groupe de Schr

In egalit es spectrales pour le contr ole des EDP lin eaires : groupe de Schr

In egalit es spectrales pour le contr ole des EDP lin eaires : groupe de Schr odinger contre semigroupe de la chaleur. Luc Miller Universit e Paris Ouest Nanterre La D efense, France Pdes, Dispersion, Scattering theory and

652 views • 37 slides
DUSEL Project Richard W. Kadel Project X Workshop Figure Courtesy FNAL, 9-Nov-2009 1 R. W.

DUSEL Project Richard W. Kadel Project X Workshop Figure Courtesy FNAL, 9-Nov-2009 1 R. W.

Homestake DUSEL DUSEL Project Richard W. Kadel Project X Workshop Figure Courtesy FNAL, 9-Nov-2009 1 R. W. Kadel, Homestake DUSEL Project X Workshop, 9-Nov-2009 PDG and LBNL Outline DUSEL project goals Roles and Responsibilities.

608 views • 42 slides
Do we need dataflow programming? Ant ntho hony Da y Dana nali lis Innovative Computing

Do we need dataflow programming? Ant ntho hony Da y Dana nali lis Innovative Computing

Do we need dataflow programming? Ant ntho hony Da y Dana nali lis Innovative Computing Laboratory University of Tennessee CCDS DSC1 16, C , Cha hateau d des Cont ntes Programming vs Execution Dataflow based execution

565 views • 37 slides
THE MIGHTY MINI DOCUMENT CAMERA! COMPARING SMART PENS AND DOCUMENT CAMERAS Suzanne Sumner,

THE MIGHTY MINI DOCUMENT CAMERA! COMPARING SMART PENS AND DOCUMENT CAMERAS Suzanne Sumner,

THE MIGHTY MINI DOCUMENT CAMERA! COMPARING SMART PENS AND DOCUMENT CAMERAS Suzanne Sumner, Professor of Mathematics, ssumner@umw.edu University of Mary Washington, Fredericksburg, VA ADVANTAGES AND DISADVANTAGES OF SMART PENS &amp; DOCUMENT

353 views • 12 slides
SAHARA Project overview and update TELLES NOBREGA IRC: TELLESNOBREGA EMAIL:

SAHARA Project overview and update TELLES NOBREGA IRC: TELLESNOBREGA EMAIL:

May 2019 SAHARA Project overview and update TELLES NOBREGA IRC: TELLESNOBREGA EMAIL: TENOBREG@REDHAT.COM What does Sahara do? Data processing service Provides a way to deploy data processing clusters with minimum effort from

269 views • 11 slides
4/17/13 Background &amp; Selection Process Fall of 2009: Testing &amp; comparing of web

4/17/13 Background &amp; Selection Process Fall of 2009: Testing &amp; comparing of web

4/17/13 Background &amp; Selection Process Fall of 2009: Testing &amp; comparing of web scale discovery services OCLC WorldCat Local - set up free version Sept. 2009 EBSCO Discovery Service &amp; Summon demo Oct. 2009 EDS

330 views • 3 slides
CS 126 Lecture A1: TOY Machine Outline Introduction Toy machine Machine language

CS 126 Lecture A1: TOY Machine Outline Introduction Toy machine Machine language

CS 126 Lecture A1: TOY Machine Outline Introduction Toy machine Machine language instructions Example machine language programs Conclusions CS126 9-1 Randy Wang Brief History Leading to the Dominance of von Neumann

446 views • 33 slides
Introduc@on The slides are courtesy of Dr. Jeffrey Shafer

Introduc@on The slides are courtesy of Dr. Jeffrey Shafer

Computer Systems and Networks ECPE 170 Vivek Pallipuram University of the Pacific Introduc@on The slides are courtesy of Dr. Jeffrey Shafer

852 views • 66 slides
INFOGR Computer Graphics Jacco Bikker &amp; Debabrata Panja - April-July 2017 Lecture 1:

INFOGR Computer Graphics Jacco Bikker &amp; Debabrata Panja - April-July 2017 Lecture 1:

INFOGR Computer Graphics Jacco Bikker &amp; Debabrata Panja - April-July 2017 Lecture 1: Introduction Welcome! Todays Agenda: Graphics Course Introduction Field Study Rasters Colors INFOGR Lecture 1

924 views • 80 slides
Living with Concurrency Peter Grogono Computer Science and Software Engineering Concordia

Living with Concurrency Peter Grogono Computer Science and Software Engineering Concordia

Living with Concurrency Peter Grogono Computer Science and Software Engineering Concordia University CUSEC 18 January 2008 Bob Dewar &amp; Ed Schonberg Computer Science Education: Where Are the Software Engineers of Tomorrow?

869 views • 64 slides
33 and all that Andrew Booker University of Bristol July 2019 Andrew Booker 33 and all that

33 and all that Andrew Booker University of Bristol July 2019 Andrew Booker 33 and all that

33 and all that Andrew Booker University of Bristol July 2019 Andrew Booker 33 and all that Three cubes and a sum ( 2 736 111 468 807 040) 3 + ( 8 778 405 442 862 239) 3 + 8 866 128 975 287 528 3 =

322 views • 16 slides
Methodologies of Symbolic Computation James Davenport University of Bath 1819 September 2018

Methodologies of Symbolic Computation James Davenport University of Bath 1819 September 2018

Methodologies of Symbolic Computation James Davenport University of Bath 1819 September 2018 James Davenport Methodologies of Symbolic Computation 1 / 31 Structure 1 Introduction and History 2 Better straightforward algorithms 3 Modular

470 views • 31 slides

More recommend